The HUSKY – Products Filter Professional for WooCommerce plugin, widely used in WordPress e-commerce sites, suffers from an Insecure Direct Object Reference (IDOR) vulnerability identified as CVE-2025-13109. This vulnerability arises from the lack of proper validation on a user-controlled key parameter within the plugin's woof_add_query and woof_remove_query functions. These functions handle the insertion and removal of saved search queries associated with user profiles. Because the plugin fails to verify that the authenticated user is authorized to modify the targeted saved search queries, attackers with subscriber-level privileges or higher can manipulate the saved queries of any user, including administrators. This flaw allows an attacker to alter the integrity of user-specific data, potentially disrupting administrative workflows or causing confusion by injecting or deleting saved filters. The vulnerability is remotely exploitable over the network without requiring user interaction beyond authentication. The CVSS 3.1 base score is 4.3, reflecting a medium severity primarily due to the limited impact on confidentiality and availability but notable integrity concerns. No patches or known exploits are available at the time of publication, emphasizing the need for proactive mitigation by affected parties.

For European organizations operating WooCommerce stores with the vulnerable HUSKY Products Filter Professional plugin, this vulnerability poses a risk to data integrity within user profiles. Attackers with low-level authenticated access can manipulate saved search queries of other users, including administrators, potentially leading to administrative confusion, disruption of normal operations, or indirect impacts on decision-making processes that rely on saved filters. While the vulnerability does not expose sensitive data or cause service outages, the integrity compromise could be leveraged as part of a broader attack chain or social engineering campaign. Organizations in sectors with strict data governance or e-commerce regulations (e.g., GDPR compliance) may face reputational damage or regulatory scrutiny if such integrity issues lead to operational errors or customer dissatisfaction. The medium severity rating suggests moderate urgency but does not indicate immediate critical risk.

1. Immediately restrict plugin access to trusted roles only, minimizing subscriber-level permissions where possible. 2. Implement custom validation checks in the plugin code or via WordPress hooks to ensure that any modification of saved search queries is authorized and limited to the owning user or administrators. 3. Monitor user activity logs for unusual modifications to saved queries, especially those affecting administrator profiles. 4. If feasible, temporarily disable the HUSKY Products Filter Professional plugin until an official patch is released. 5. Engage with the plugin vendor or community to track patch releases and apply updates promptly once available. 6. Conduct regular audits of user permissions and plugin configurations to prevent privilege escalation. 7. Educate users about the risks of unauthorized access and enforce strong authentication controls to reduce the likelihood of compromised subscriber accounts.